‘Hundreds of computers’ in Ukraine hit with wiper malware

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Hundreds of computers in Ukraine have been infected with data-wiping Windows malware, say researchers at ESET.

In a series of tweets on Wednesday, the infosec biz said it picked up its first sample of the software nasty at about 1500 UTC, and believes the code has been in the works for the past two months.

“ESET telemetry shows that it was installed on hundreds of machines in the country,” the biz stated.

We’re told the data wiper is cryptographically signed with a legit, and presumably stolen, developer certificate to persuade antivirus tools and users to trust it. The malware uses drivers from a partitioning program to corrupt storage devices and destroy files on infected systems, according to ESET.

It’s not entirely clear right now how the malware is dropped onto victims’ machines and run, though in one case, said ESET, an organization’s Active Directory server was probably compromised to distribute the wiper through the network via a group policy object.

Symantec’s threat intelligence wing also said it had spotted data-trashing malware in Ukraine; the Broadcom-owned biz added it had seen infections in Latvia and Lithuania also.

ESET dubbed the nasty Win32/KillDisk.NCV. It’s understood the code not only wipes files from the drive, it also nukes the MBR, making booting and recovery difficult or impossible thereafter.

This comes as various Ukrainian websites were disrupted to varying degrees by denial-of-service attacks, and Britain’s National Cyber Security Centre warned of a new Kremlin-linked strain of malware that appears to

Read more

Explore the site

More from the blog

Latest News